One Identity Manager LDAP Connector for IBM AS/400 Reference...

One Identity Manager 8.0

LDAP Connector for IBM AS/400Reference Guide

Copyright 2017 One Identity LLC.

ALL RIGHTS RESERVED.This guide contains proprietary information protected by copyright. The software described in this guideis furnished under a software license or nondisclosure agreement. This software may be used or copiedonly in accordance with the terms of the applicable agreement. No part of this guide may be reproducedor transmitted in any form or by any means, electronic or mechanical, including photocopying andrecording for any purpose other than the purchaser’s personal use without the written permission ofOne Identity LLC .The information in this document is provided in connection with One Identity products. No license,express or implied, by estoppel or otherwise, to any intellectual property right is granted by thisdocument or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THETERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,ONE IDENTITY ASSUMES NO LIABILITYWHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED ORSTATUTORYWARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THEIMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING,WITHOUTLIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OFINFORMATION) ARISING OUTOF THE USE OR INABILITY TOUSE THIS DOCUMENT, EVEN IFONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make norepresentations or warranties with respect to the accuracy or completeness of the contents of thisdocument and reserves the right to make changes to specifications and product descriptions at anytime without notice. One Identity do not make any commitment to update the information containedin this document.If you have any questions regarding your potential use of this material, contact:One Identity LLC.Attn: LEGAL Dept4 Polaris WayAliso Viejo, CA 92656Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.

PatentsOne Identity is proud of our advanced technology. Patents and pending patents may apply to thisproduct. For the most current information about applicable patents for this product, please visit ourwebsite at http://www.OneIdentity.com/legal/patents.aspx.

TrademarksOne Identity and the One Identity logo are trademarks and registered trademarks of One IdentityLLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visitour website at www.OneIdentity.com/legal. All other trademarks are the property of theirrespective owners.

Legend

WARNING: A WARNING icon indicates a potential for property damage,personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or lossof data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supportinginformation.

One Identity Manager LDAP Connector for IBM AS/400 Reference GuideUpdated - November 2017Version - 8.0

http://www.oneidentity.com/

http://www.oneidentity.com/legal/patents.aspx

http://www.oneidentity.com/legal

Contents

Initializing and Configuring the LDAP Connector for IBM AS/400 4

Pre-requisites 4

Platform Support 5

How to initialize and configure the AS/400 LDAP connector 5

System Variables 6

Domain Filter Setting 7

User Mapping Information 8

Mandatory AS/400 User Attributes 9

Property Mapping Rules 10

Object Matching Rules 12

Sample User Mapping 13

Group Mapping Information 13

Mandatory AS/400 Group Attributes 14

Property Mapping Rules 15

Object Matching Rules 17

Sample Group Mapping 17

Appendix: AS/400 Attributes 19

About us 22

Contacting us 22

Technical support resources 22

One Identity Manager 8.0 LDAP Connector for IBM AS/400 ReferenceGuide 3

1

Initializing and Configuring theLDAP Connector for IBM AS/400

This document describes how to initialize and configure the AS/400 LDAP connector into anexisting One Identity Manager system. This enables a One Identity Manager system toaccess, read and update data stored on an AS/400 system.

NOTE: Although the AS/400 system has been given more recent names such asiSeries and System i, it will be referred to as AS/400 throughout this document.

Detailed information about this topic

l Pre-requisites on page 4

l Platform Support on page 5

l How to initialize and configure the AS/400 LDAP connector on page 5

l Domain Filter Setting on page 7

l System Variables on page 6

l User Mapping Information on page 8

l Group Mapping Information on page 13

l Appendix: AS/400 Attributes on page 19

Pre-requisites

l The AS/400 computer must have IBM AS/400 Directory Services installed andconfigured.

l A service account must be created on your AS/400 server which has the appropriatepermissions to administer users and groups on this platform:

l Security administrator (*SECADM) special authority rights;

l Object management (*OBJMGT) rights over the user profile accounts that areto be managed;

One Identity Manager 8.0 LDAP Connector for IBM AS/400 ReferenceGuide

Initializing and Configuring the LDAP Connector for IBM AS/400

4

l Use (*USE) rights over the user profile account(s) that are to be managed;

l The service account must be set up as a projected user.

NOTE: Before attempting to connect to the AS/400 Directory Services LDAP Serverwith the One Identity Manager connector, it is recommended to first check that theLDAP server is running correctly. This can be tested with any LDAP browser forexample the LDP.exe tool from Microsoft. For more information, see your LDAPbrowser documentation.

Platform Support

l The AS/400 LDAP connector has been verified for synchronization against os-400V7R1 or later.

How to initialize and configure theAS/400 LDAP connector

NOTE: The following sequence describes how you configure a synchronization projectif the Synchronization Editor is in expert mode.

To set up initial synchronization project for AS/400

1. Start the Synchronization Editor and log in.

2. From the start page, select Start a new synchronization project.

This starts the Synchronization Editor's project wizard.

3. Select AS/400 LDAP Connector on the Choose target system page.

4. On the System access page, click Next.

5. On the Create system connection page, select Create new systemconnection.

6. On the system connection wizard start page, click Next.

7. On the Network page:

a. In the Server field, enter the DNS name or IP address of yourmainframe server.

b. In the Port field, enter the port number.

c. Click on the Test button to make sure the server is accessible.

d. IBM AS/400 Directory Services supports LDAP v3. Enter the number 3 in the



5

Protocol version.

e. If SSL is to be used, check the Use SSL box.

8. On the Authentication page:

a. Set the Authentication method to "Basic".

b. In the Credentials section, enter the full DN and password of theadministrator account on your AS/400 system.

c. Click Test to check that the credentials are valid.

9. The schema will be loaded from the AS/400 system.

10. Ignore the Define virtual classes page. Click Next.

11. On the Search options page:

a. In the Base DN drop-down list, select the correct base DN for your system.It should begin with OS400-SYS=.

b. Ignore the Use paged search check box.

12. Ignore the Modification capabilities page. Click Next.

13. Ignore the Auxiliary class assignment page. Click Next.

14. On the System attributes page, in the Revision properties section, deselect the"createTimestamp" and "modifyTimestamp" entries by double clicking on them.

15. Ignore the Select dynamic group attributes page. Click Next.

16. Ignore the Password settings page. Click Next.

17. Click Finish.

This takes you back to the Synchronization Editor's project wizard.

18. Enter the database connection data on the One Identity Managerconnection page.

19. This will load the AS/400 schema into your One Identity Manager. Wait for thisto complete.

20. On the Select project template page, select Create blank project.

21. On the General page, enter a display name for your synchronization project andset a scripting language if required.

22. Click Finish to complete the project wizard.

23. Select Activate project to activate the project.

System Variables

The following system variables need to be defined for the attribute mappings. For moredetailed information about variables, see the One Identity Manager Target SystemSynchronization Reference Guide.



6

Name Value

IdentDomain The name of your AS/400 domain e.g. AS400_001

UserLocation Parent DN of your AS/400 user container, e.g. CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

GroupLocation Parent DN of your AS/400 group container, e.g. CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

Table 1: System variables

Related Topics

l Domain Filter Setting on page 7

l Property Mapping Rules on page 10


Domain Filter Setting

A domain filter needs to be created to identify information that has been retrieved from theAS/400 database to keep it separate from other imported data.

1. Update the One Identity Manager schema so that all entries are included.

a. In the Synchronization Editor, open your AS/400 project.

b. Select the category Configuration | One Identity Manager connection.

c. Then in the "General" section on the right-hand side, click Update schema.

d. Click on Yes in the next two dialog boxes.

e. Click Ok when completed.

2. In the Manager

a. Select the category LDAP | Domains.

b. In the result list toolbar, click .



7

c. Enter at least the following general master data on the General tab.

Property Description

Display name Display name e.g. AS400 Domain 001

Distinguishedname

Distinguished name of the domain e.g. OS400-SYS=AS4001.MYCOMPANY.COM

Domain Domain name e.g. AS400_001

Structural objectclass

Structural object class representing the object type,enter DCOBJECT

Table 2: Domain Master Data

d. Save the changes.

3. In the Synchronization Editor, open your AS/400 project.

a. Select the category Configuration | One Identity Manager connection.

b. Select the Scope view and click Edit scope.

c. Select the object type LDPDomain in the Scope hierarchy list and set theObject filter to: Ident_Domain =’$IdentDomain$’.

d. Save the changes.

For more detailed information about scopes, see the One Identity Manager Target SystemSynchronization Reference Guide.

Related Topics


User Mapping Information

This section shows a possible mapping between a user account in AS/400 and the standardOne Identity Manager database table called LDAPAccount. User and group information on theAS/400 is stored in the same container, so a filter needs to be set up to tell these apart.



8

l When creating the user mapping, add a new schema class as follows.

Property Value

Schema type os400-usprf

Display name user_os400_usrprf

Class name user_os400_usrprf

Select objects: Condition os400_gid='*NONE'

Select objects: Ignore case Activated

Table 3: Schema class settings

l Map the LDAPAccount (all) schema class to this new schema class, user_os400_usrprffor this user mapping.

For more detailed information about setting up mappings, see the One Identity ManagerTarget System Synchronization Reference Guide.


l Mandatory AS/400 User Attributes on page 9


l Object Matching Rules on page 12

l Sample User Mapping on page 13

Mandatory AS/400 User Attributes

When creating a user in the AS/400 database, the following LDAP attributes mustbe defined:

l objectclass

l os400-profile

Related Topics





9

Property Mapping Rules

l CanonicalName ← vrtEntryCanonicalName

vrtEntryCanonicalName is a virtual property, set to the canonical name of the object inthe connector.

Sample value:

AS4001.MYCOMPANY.COM/ACCOUNTS/USER1234

l cn←→ os400-profile

On the AS/400 system, os400-profile is the user ID.

Sample value:

USER1234

l DistinguishedName ← vrtEntryDN

vrtEntryDN is a virtual property, set to the DN of the object in the connector. Oncethis mapping rule has been created, edit the mapping rule by clicking on it. Thencheck the box marked Force mapping against direction of synchronization.

Sample value:

os400-profile=USER1234,CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

l ObjectClass ←→ objectClass

The objectClass attribute (multi-valued) on the AS/400 system. Activate the checkbox Ignore case sensitivity.

Sample value:

TOP;OS400-USRPRF

l StructuralObjectClass ← vrtStructuralObjectClass

vrtStructuralObjectClass on the AS/400 system defines the single object class forthe object type.

Sample value:

OS400-USRPRF

l UID_LDPDomain← vrtIdentDomain

Create a fixed value property variable on the AS/400 side called vrtIdentDomain thatis set to the value $IdentDomain$. Map this to UID_LDPDomain. This will cause a conflictand the Property Mapping Rule Conflict Wizard opens automatically.

To solve the conflict

1. In the Property Mapping Rule Conflict Wizard, select the first option andclick OK.

2. On the Select an element... page, select Ident_Domain and click OK.

3. Confirm the security prompt with OK.



10

4. On the Edit property... page,

a. Deactivate Save unresolvable keys.

b. Activate Handle failure to resolve as error.

c. To close the Property Mapping Rule Conflict Wizard, click OK.

Sample value:

AS400_001

l vrtParentDN → vrtEntryParentDN

Create a fixed value property variable on the One Identity Manager side calledvrtParentDN equal to a fixed string with value $UserLocation$. Map this tovrtEntryParentDN on the AS/400 side.

Sample value:

CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

l vrtRDN → vrtEntryRDN

Create a new variable on the One Identity Manager side of type "Format DefinedProperty" with name vrtRDN. Set its value to os400-profile=%CN%. Then map this tovrtEntryRDN on the AS/400 side.

Sample value:

os400-profile=USER1234

l userPassword→ os400-password

Used to change a user’s AS/400 password. A condition needs to be set on this rule tomap the password only when there is a value to be copied.

To add a condition

1. Create the mapping.

2. Edit the property mapping rule.

3. Expand the Condition for execution section at the bottom of the dialog.

4. Click on Add condition and set the following condition (a blank password isindicated by using two apostrophe characters).

Left.UserPassword<>''

l UID_LDAPContainer ← vrtEmpty

This is a workaround needed to support group mappings. Create a new fixed valuevariable on the AS/400 side of type "String" with no value called vrtEmpty. Map this toUID_LDAPContainer. This generates a property mapping rule conflict.


l In the Property Mapping Rule Conflict Wizard, highlight Select this option ifyou do not want to change anything and click OK.



11

Related Topics





Object Matching Rules

l DistinguishedName (primary rule) vrtEntryDN

vrtEntryDN is a virtual property, set to the DN of the object in the connector. Thisforms a unique ID to distinguish individual user objects on the AS/400 system.

To convert this mapping into an object matching rule

1. Select the property mapping rule in the rule window.

2. Click in the rule view toolbar.

A message appears.

3. Click Yes to convert the property mapping rule into an object matching ruleand save a copy of the property mapping rule.

4. Open the new object matching rule in the top window and uncheck the optionCase sensitive.

Sample value:

os400-profile=USER1234,CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

Related Topics






12

Sample User Mapping

The following figure shows the above user mapping in operation.

Group Mapping Information

This section shows a possible mapping between a group profile in AS/400 and the standardOne Identity Manager database table called LDAPGroup. User and group information on theAS/400 is stored in the same container, so a filter needs to be set up to tell these apart.



13

l When creating the group mapping, add a new schema class as follows.

Property Value

Schema type os400-usprf

Display name group_os400_usrprf

Class name group_os400_usrprf

Select objects: Condition os400_gid<>*NONE'

Select objects: Ignore case Activated

Table 4: Schema class settings

l Map the LDAPGroup (all) schema class to this new schema class, group_os400_usrprffor this group mapping.

For more detailed information about setting up mappings, see the One Identity ManagerTarget System Synchronization Reference Guide.


l Mandatory AS/400 Group Attributes on page 14



l Sample Group Mapping on page 17

Mandatory AS/400 Group Attributes

When creating a group in the AS/400 database, the following LDAP attributes mustbe defined:

l objectclass

l os400-profile

l os400-groupmember (this is not mandatory but if omitted, a user profile will becreated instead)

Related Topics





14

Property Mapping Rules

l CanonicalName ← vrtEntryCanonicalName

vrtEntryCanonicalName is a virtual property, set to the canonical name of the object inthe connector.

Sample value:

AS4001.MYCOMPANY.COM/ACCOUNTS/GROUP123

l cn←→ os400-profile

On the AS/400 system, os400-profile is the group ID.

Sample value:

USERGRP

l DistinguishedName ← vrtEntryDN

vrtEntryDN is a virtual property, set to the DN of the object in the connector.

Sample value:

os400-profile=GROUP123,CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

l ObjectClass ←→ objectClass

The objectClass attribute (multi-valued) on the AS/400 system. Activate the checkbox Ignore case sensitivity.

Sample value:

TOP;OS400-USRPRF

l StructuralObjectClass ← vrtStructuralObjectClass

vrtStructuralObjectClass on the AS/400 system defines the single object class forthe object type.

Sample value:

OS400-USRPRF

l vrtParentDN → vrtEntryParentDN

Create a fixed value property variable on the One Identity Manager side calledvrtParentDN equal to a fixed string with value $GroupLocation$. Map this tovrtEntryParentDN on the AS/400 side.

Sample value:

CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

l vrtRDN → vrtEntryRDN

Create a virtual attribute on the One Identity Manager side equal to the CNvalue. Then map this to vrtEntryRDN on the AS/400 side.

Sample value:

os400-profile=GROUP123



15

l UID_LDAPContainer ← vrtEmpty

This is a workaround needed to support group mappings. Create a new fixed valuevariable on the AS/400 side of type "String" with no value called vrtEmpty. Map this toUID_LDAPContainer. This generates a property mapping rule conflict.


l In the Property Mapping Rule Conflict Wizard, highlight Select this option ifyou do not want to change anything and click OK.

l vrtMember ←→ os400-groupmember

Synchronizing this attribute on the AS/400 will manage the group membershipsfor the user.

1. Create a new virtual entry on the One Identity Manager side of type "Membersof M:N schema types" with name vrtMember. Activate the boxes to Ignorecase and Enable relative component handling.

2. Add an entry for LDAPAccountInLDAPGroup(all). Set the left box to UID_LDAPGroupand the right box to UID_LDAPAccount. Set the Primary Key Property toDistinguishedName.

3. Create a new mapping rule of type "Multi-reference mapping rule". Set the rulename to "Member" and the mapping direction to "Both directions". Set the OneIdentity Manager schema property to vrtMember and the AS/400 schemaproperty to os400-groupmember.

l UID_LDPDomain← vrtIdentDomain

Create a fixed value property variable on the AS/400 side called vrtIdentDomain thatis set to the value $IdentDomain$. Map this to UID_LDPDomain. This will cause a conflictand the Property Mapping Rule Conflict Wizard opens automatically.


1. In the Property Mapping Rule Conflict Wizard, select the first option andclick OK.

2. On the Select an element... page, select Ident_Domain and click OK.

3. Confirm the security prompt with OK.

4. On the Edit property... page,

a. Deactivate Save unresolvable keys.

b. Activate Handle failure to resolve as error.

c. To close the Property Mapping Rule Conflict Wizard, click OK.

Sample value:

AS400_001

Related Topics





16



Object Matching Rules

l DistinguishedName (primary rule) vrtEntryDN

vrtEntryDN is a virtual property, set to the DN of the object in the connector. Thisforms a unique ID to distinguish individual user objects on the AS/400 system.

To convert this mapping into an object matching rule

1. Select the property mapping rule in the rule window.

2. Click in the rule view toolbar.

A message appears.

3. Click Yes to convert the property mapping rule into an object matching ruleand save a copy of the property mapping rule.

Sample value:

os400-profile=GROUP123,CN=ACCOUNTS,OS400-SYS=AS4001.MYCOMPANY.COM

Related Topics




Sample Group Mapping

The following figure shows the above group mapping in operation.



17



18

A

Appendix: AS/400 Attributes

The following table lists the AS/400 attributes that are made available to One IdentityManager by the AS/400 LDAP connector. User and group objects in the AS/400 DirectoryServer are treated at the same level.

Attribute Name

os400-acgcde

os400-astlvl

os400-atnpgm

os400-audlvl

os400-ccsid

os400-chridctl

os400-cntryid

os400-curlib

os400-dlvry

os400-docpwd

os400-dspsgninf

os400-eimassoc

os400-gid

os400-groupmember

os400-grpaut

os400-grpauttyp

os400-grpprf

os400-homedir

Table 5: List of AS/400 Attributes



19

Attribute Name

os400-laspStorageInformation

os400-inlmnu

os400-inlpgm

os400-invalidSignonCount

os400-jobd

os400-kbdbuf

os400-langid

os400-lclpwdmgt

os400-lmtdevssn

os400-locale

os400-maxstg

os400-msgq

os400-objaud

os400-outq

os400-owner

os400-password

os400-passwordExpirationDate

os400-passwordLastChanged

os400-previousSignon

os400-profile

os400-prtdev

os400-ptylmt

os400-pwdexp

os400-pwdexpitv

os400-setobatr

os400-sev

os400-spcaut

os400-spcenv

os400-status



20

Attribute Name

os400-storageUsed

os400-storageUsedOnlasp

os400-supgrpprf

os400-text

os400-uid

os400-usrcls

os400-usropt



21

About us

About us

Contacting us

For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspxor call +1-800-306-9329.

Technical support resources

Technical support is available to One Identity customers with a valid maintenance contractand customers who have trial versions. You can access the Support Portal athttps://support.oneidentity.com/.

The Support Portal provides self-help tools you can use to solve problems quickly andindependently, 24 hours a day, 365 days a year. The Support Portal enables you to:

l Submit and manage a Service Request

l View Knowledge Base articles

l Sign up for product notifications

l Download software and technical documentation

l View how-to-videos at www.YouTube.com/OneIdentity

l Engage in community discussions

l Chat with support engineers online

l View services to assist you with your product


About us

22

https://www.oneidentity.com/company/contact-us.aspx

https://support.oneidentity.com/

http://www.youtube.com/OneIdentity

Date post:	12-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

One Identity Manager LDAP Connector for IBM AS/400 Reference...

Documents